VeriSign, maintainer of net’s DNS, warns it was repeatedly hacked

The company's management, which initially was kept in the dark about the …

VeriSign, the company that manages a key internet database for routing traffic to websites and email addresses, exposed private information after being hacked on multiple occasions in 2010, the company quietly disclosed late last year.

While executives with the Reston, Virginia company said they don't believe servers that maintain the DNS (domain name system) were breached, they couldn't rule out the possibility. They also warned that they couldn't guarantee steps taken to remediate the breach would succeed. What's more, the attacks, which came to light in an article published by Reuters on Tuesday, didn't come to the attention of managers in a timely manner.

“The occurrences of the attacks were not sufficiently reported to the Company's management at the time they occurred for the purposes of assessing any disclosure requirements,” VeriSign said in an Securities and Exchange filing in October. The tersely worded disclosure didn't say how many incidents occurred, when they happened or what information was obtained by the attackers.

Ken Silva, VeriSign's chief technology officer until November 2010, told reporter Joseph Menn he didn't learn of the breaches until contacted by the Reuters journalist. Based on the vague language in the filing, Silva speculated that VeriSign executives “probably can't draw an accurate assessment” of the damage.

A raft of companies that issue SSL (secure sockets layer) certificates used to verify the authenticity of millions of websites have also been successfully targeted. Among them is DigiNotar, a Netherlands-based certificate authority whose digital imprimatur was used to mint counterfeit credentials used to spy on some 300,000 Google Mail users, most of whom were located in Iran.

Until September 2010, VeriSign ran its own certificate issuing business. A spokeswoman for Symantec, which purchased the operation from VeriSign, told Reuters “there is no indication that the 2010 corporate network security breach mentioned by VeriSign Inc was related to the acquired SSL product production systems.”